SGI warns of Apache-IRIX vulnerability

ZDNet (UK) ^ | March 20, 2002, 9:00 AM PT | Matthew Broersma

[Bush2000]

Silicon Graphics (SGI) machines running the Apache Web server on SGI's IRIX operating system are vulnerable to attack by hackers, who may be able to gain administrator-level access, the company has warned. The company makes machines used for everything from scientific research to movie special effects, and many are used by government and defense organizations. The two new flaws, originally announced on Friday, affect IRIX versions 6.5.12, 6.5.13 and 6.5.14 running Apache versions prior to 1.3.22. IRIX is SGI's proprietary version of the Unix operating system, while Apache is a widely used open-source Web server, which is installed and enabled by default on IRIX.

One vulnerability was found in Apache's split-logfile program, a tool used to manage system files called logfiles. SGI said that if the feature is turned on, a specially crafted request could allow any file with a .log extension on the system to be written to, which could be used to give an attacker full access to the system. Split-logfile is not turned on by default.

The second bug was found in Apache's Multiviews facility, which is used for customizing the way content is presented to Web browsers. In some configurations, it is possible to enter a specially formed query to return a directory listing, which could allow an attacker to discover the locations of sensitive files on the system.

SGI hasn't released a patch for the flaws, but instead recommends that users upgrade to an operating system newer than 6.5.14, which includes a newer version of Apache in which the problems have been resolved. If the software can't be upgraded immediately, the company recommends disabling Apache.

[Bush2000]

Tsk, tsk ... I'm shocked, shocked, shocked that Apache has bugs!

[Fish out of Water]

index bump

[Bush2000]

Calling all open source shills... Patch this.

[Campion]

According to the article, the problem is fixed in current versions of Apache, which are -- of course -- available for free over the 'net.. SGI being slow to propagate a fix reflects badly on open source ... how?

[Black Agnes]

Exactly. And, if you read the whole release, one of the bugs isn't enabled by default and the other only if the user does some unnamed arcane configurations.

[ThePythonicCow]

You seem to be suggesting that since a bug was found in open source software, that therefore claims by open source "shills" that open source web servers are more secure than Microsoft servers are bogus.

I will offer the following analogy to lurkers, but I don't expect it to persuade you. A big Mercedes is safer than a Yugo in an accident. That doesn't mean that no you can't die in a big Benz. And retorts by Yugo lovers, when there is a fatal crash involving a big Mercedes, that smell of "see I told you so -- your stuff can crash and burn too" are disengenious at best.

Signed -- an open source shill and proud of it.

[Campion]

Incidentally, Apache 1.3.22 (fixed) has a release date of October 9. Apache 1.3.23 is the current version, released Jan 24.

Do you really think that Apache bugs which have been fixed for six months are important enough to warrant an FR post?

[Bush2000]

You seem to be suggesting that since a bug was found in open source software, that therefore claims by open source "shills" that open source web servers are more secure than Microsoft servers are bogus.

That's exactly what I'm saying. Any server connected to the network -- regardless of whether it's open source or closed -- is vulnerable to intrusion. Anybody who argues differently is a liar.

[HamiltonJay]

Anyone running APACHE or anything that needs secuirty on an SGI box gets what they deserve... SGI UX is about as secure as the Clinton white house.

[Bush2000]

Do you really think that Apache bugs which have been fixed for six months are important enough to warrant an FR post?

Of course it matters. Apache isn't exactly telegraphing their bugs and patches to all affected parties.

[ThePythonicCow]

I was right -- you were unable to comprehend my analogy.

Over and out.

[Bush2000]

Anyone running APACHE or anything that needs secuirty on an SGI box gets what they deserve... SGI UX is about as secure as the Clinton white house.

Ah, yes. The "blame-the-customer" ploy. Verrrry mature.

[Bush2000]

I was right -- you were unable to comprehend my analogy.

Wrong. I don't buy your analogy that *nix is a Mercedes and Windows is a Yugo. Try another.

[Digital Chaos]

Do you ever shut up?

[Bush2000]

God knows, no admin would ever turn on an arcane configuration ...
/sarcasm

[Bush2000]

Do you ever shut up?

Nope. And you can ram your suggestion where it belongs.

[HamiltonJay]

Its not about blaming the customer, its the truth. But I suppose my 15 years working in the industry is irrellevant since your political and personal viewpoint is all that really matters.

[ArrogantBustard]

SGI UX is about as secure as the Clinton white house.

That always annoyed me back when running a bunch of SGI systems was a big part of my job. When I got new machines, I'd have to turn the blasted things on disconnected from the network and close all the holes they left open by default, before I dared plug in the network cable.

AB

[Campion]

Apache isn't exactly telegraphing their bugs and patches to all affected parties.

No, they use T3 lines and ftp, not telegraphs. It took me between 30 and 60 seconds to research the release dates and find out that you're harping on a bug that's dead for six months. I rest my case.

Brother, you really need to get a life.

[ThePythonicCow]

Well, one more observation. I say more secure; you read this as my denying any vulnerability. In mathematical terms, I say A is less than B, and you suggest I'm a liar for claiming A equals zero.

I trust you are capable of understanding that "A < B" is not the same claim as "A == 0".

Perhaps I trust too much.